1. Overview

Some time ago, I was automating a few tasks with PowerShell and needed to set NTFS permissions on a folder. I was tempted to use the good old ICACLS.EXE command line, but I wanted to keep it all within PowerShell. While there are a number of different permissions you could want to set for a folder, my specific case called the following:

-          Create a new folder

-          Check the default permissions on the new folder

-          Turn off inheritance on that folder, removing existing inherited permissions from the parent folder

-          Grant “Full Control” permissions to Administrators, propagating via inheritance to files and subfolders

-          Grant “Read” permissions to Users, propagating via inheritance to files and subfolders

-          Review the permissions on the folder

2. The old ICACLS

In the old CMD.EXE world, you would use ICACLS.The commands would look like this:

-          MD F:\Folder

-          ICACLS F:\Folder

-          ICACLS F:\Folder /INHERITANCE:R

-          ICACLS F:\Folder /GRANT Administrators:(CI)(OI)F

-          ICACLS F:\Folder /GRANT Users: (CI)(OI)R

-          ICACLS F:\Folder

新建共享rollback,赋予 ddv\test01、Administrators用户完全控制权限

mkdir d:\rollback
net share rollback=d:\rollback /GRANT:ddv\test01,FULL /GRANT:administrators,FULL

cacls D:\ /T /E /C /G Users:F
cacls D:\ /T /E /C /P everyone:R

3. The PowerShell way

After some investigation, I found the PowerShell cmdlets to do the same things. You essentially rely on Get-Acl and Set-Acl to get, show and set permissions on a folder. Unfortunately, there are no cmdlets to help with the actual manipulation of the permissions. However, you can use a few .NET classes and methods to do the work. Here’s what I ended up with:

-          New-Item F:\Folder –Type Directory

-          Get-Acl F:\Folder | Format-List

-          $acl = Get-Acl F:\Folder

-          $acl.SetAccessRuleProtection($True, $False)

-          $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

-          $acl.AddAccessRule($rule)

-          $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")

-          $acl.AddAccessRule($rule)

-          Set-Acl F:\Folder $acl

-          Get-Acl F:\Folder  | Format-List

4. Looking at the output

To show how this works, here’s the output you should get from those commands. Be sure to use the option to “Run as Administrator” if you’re creating a folder outside your user’s folders. Note that I made a few changes from the cmdlets shown previously. I also included couple of calls to the GetAccessRules method to get extra details about the permissions.

PS F:\> New-Item F:\Folder -Type Directory

Directory: F:\

Mode                LastWriteTime     Length Name

----                -------------     ------ ----

d----         11/6/2010   8:10 PM            Folder

PS F:\> $acl = Get-Acl F:\Folder

PS F:\> $acl | Format-List

Path   : Microsoft.PowerShell.Core\FileSystem::F:\Folder

Owner  : BUILTIN\Administrators

Group  : NORTHAMERICA\Domain Users

Access : BUILTIN\Administrators Allow  FullControl

BUILTIN\Administrators Allow  268435456

NT AUTHORITY\SYSTEM Allow  FullControl

NT AUTHORITY\SYSTEM Allow  268435456

NT AUTHORITY\Authenticated Users Allow  Modify, Synchronize

NT AUTHORITY\Authenticated Users Allow  -536805376

BUILTIN\Users Allow  ReadAndExecute, Synchronize

BUILTIN\Users Allow  -1610612736

Audit  :

Sddl   : O:BAG:S-1-5-21-124525095-708259637-1543119021-513D:(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID

;GA;;;SY)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)(A;ID;0x1200a9;;;BU)(A;OICIIOID;GXGR;;;BU)

PS F:\> $acl.GetAccessRules($true, $true, [System.Security.Principal.NTAccount])

FileSystemRights  : FullControl

AccessControlType : Allow

IdentityReference : BUILTIN\Administrators

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : 268435456

AccessControlType : Allow

IdentityReference : BUILTIN\Administrators

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

FileSystemRights  : FullControl

AccessControlType : Allow

IdentityReference : NT AUTHORITY\SYSTEM

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : 268435456

AccessControlType : Allow

IdentityReference : NT AUTHORITY\SYSTEM

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

FileSystemRights  : Modify, Synchronize

AccessControlType : Allow

IdentityReference : NT AUTHORITY\Authenticated Users

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : -536805376

AccessControlType : Allow

IdentityReference : NT AUTHORITY\Authenticated Users

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

FileSystemRights  : ReadAndExecute, Synchronize

AccessControlType : Allow

IdentityReference : BUILTIN\Users

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : -1610612736

AccessControlType : Allow

IdentityReference : BUILTIN\Users

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

PS F:\> $acl.SetAccessRuleProtection($True, $False)

PS F:\> $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

PS F:\> $acl.AddAccessRule($rule)

PS F:\> $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")

PS F:\> $acl.AddAccessRule($rule)

PS F:\> Set-Acl F:\Folder $acl

PS F:\> Get-Acl F:\Folder  | Format-List

Path   : Microsoft.PowerShell.Core\FileSystem::F:\Folder

Owner  : BUILTIN\Administrators

Group  : NORTHAMERICA\Domain Users

Access : BUILTIN\Administrators Allow  FullControl

BUILTIN\Users Allow  Read, Synchronize

Audit  :

Sddl   : O:BAG:S-1-5-21-124525095-708259637-1543119021-513D:PAI(A;OICI;FA;;;BA)(A;OICI;FR;;;BU)

PS F:\> (Get-Acl F:\Folder).GetAccessRules($true, $true, [System.Security.Principal.NTAccount])

FileSystemRights  : FullControl

AccessControlType : Allow

IdentityReference : BUILTIN\Administrators

IsInherited       : False

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : None

FileSystemRights  : Read, Synchronize

AccessControlType : Allow

IdentityReference : BUILTIN\Users

IsInherited       : False

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : None

PS F:\>

5. Controlling parent folder inheritance

The script uses SetAccessRuleProtection, which is a method to control whether inheritance from the parent folder should be blocked ($True means no Inheritance) and if the previously inherited access rules should be preserved ($False means remove previously inherited permissions).

6. Building the access rules

To build a new access rule, the script also uses the New-Object cmdlet and specify the full name of the FileSystemAccessRule class. There are many constructors for this specific class of objects. I used one of the more complete ones, which takes 5 parameters:

-          Identity (name of the user or group)

-          Rights (including the common Read, Write, Modify and FullControl, among many others)

-          Inheritance Flags (including None, ContainerInherit or ObjectInheritance)

-          Propagation Flags (including None or InheritOnly, among others)

-          Type (Allow or Deny)

I am using the .NET classes in this part, and that’s why you have to use the full name of the class (like System.Security.AccessControl.FileSystemAccessRule) and the full name of the data types (like [System.Security.Accesscontrol.InheritanceFlags]).

7. Using variables

The script also uses a few variables (names starting with a $ sign). In order to change the permissions, for instance, I started by copying the existing ACL to a variable called $acl using the Get-Acl cmdlet. Next, I modified $acl in memory and finally I applied the $acl back to the folder using Set-Acl cmdlet. You could avoid using the $rule variable, but your code would get a bit more complex. For instance, I could change the script shown previously to use only the $acl variable:

-          $acl = Get-Acl F:\Folder

-          $acl.SetAccessRuleProtection($True, $False)

-          $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")))

-          $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")))

-          Set-Acl F:\Folder $acl

This does cut 2 lines from that section of the script. While I see of lot of fans of using a smaller number of command lines (even if they are longer command lines), I find the version that uses the additional $rule variable easier to understand.

8. Default permissions

You might have noticed that the initial attributes for the folder includes quite a few inherited permissions. Those are inherited from the parent folder F:\, and are the default permissions when you format an NTFS volume. Here are they in a nicely formatted table:

Identity

Type

Rights

BUILTIN\Administrators

Allow

FullControl

BUILTIN\Administrators

Allow

268435456

NT AUTHORITY\SYSTEM

Allow

FullControl

NT AUTHORITY\SYSTEM

Allow

268435456

BUILTIN\Users

Allow

ReadAndExecute, Synchronize

NT AUTHORITY\Authenticated Users

Allow

Modify, Synchronize

NT AUTHORITY\Authenticated Users

Allow

-536805376

Some of the rights are fully spelled out (like “Full Control”, “Modify”, “Read”, “Write”, “Synchronize” and “ReadAndExecute”). More complex combinations are shown as numbers. The infrastructure only translates the numeric code into text for the most common ones.

9. Setting the Owner

Another fairly common operation is setting a new owner for a folder. This is useful when provisioning a folder for a specific user and wanting to give the user the ownership of the folder itself. It’s also handy if a administrator has been locked out of a folder. If I am the administrator, I can set the owner to myself  and then grant myself permissions to access the folder. In CMD.EXE, you would use

-          ICACLS F:\Folder /SETOWNER Administrators

The PowerShell equivalent would be:

-          $acl = Get-Acl F:\Folder

-          $acl.SetOwner([System.Security.Principal.NTAccount] "Administrators")

-          Set-Acl F:\Folder $acl

10. It’s actually a Security Descriptor

The information returned by Get-Acl is actually better described as a “Security Descriptor”, not really an ACL (Access Control List). It contains a number of security-related information, including the Owner, the Group Owner, the Discretionary Access Control List (also known as DACL, which is where we added the two rules), the Audit Access Control List (also known as SACL). Technically, adding the two rules actually adds two ACEs (Access Control Entries) to the DACL (Discretionary Access Control List).

Also listed by Get-ACL is SDDL string. The SDDL a string that combines all the information returned by Get-Acl in a single string. It’s a bit hard to parse for humans, but it’s closer to the internal representation.

11. Looking at the other methods

There are a number of additional methods available to handle the Security Descriptor returned by Get-Acl. If you want to look into them, just pipe the output to Get-Member. See the example below:

PS F:\> Get-Acl F:\Folder | Get-Member

TypeName: System.Security.AccessControl.DirectorySecurity

Name                            MemberType     Definition

----                            ----------     ----------

Access                          CodeProperty   System.Security.AccessControl.AuthorizationRuleCollection Access{get=...

Group                           CodeProperty   System.String Group{get=GetGroup;}

Owner                           CodeProperty   System.String Owner{get=GetOwner;}

Path                            CodeProperty   System.String Path{get=GetPath;}

Sddl                            CodeProperty   System.String Sddl{get=GetSddl;}

AccessRuleFactory               Method         System.Security.AccessControl.AccessRule AccessRuleFactory(System.Sec...

AddAccessRule                   Method         System.Void AddAccessRule(System.Security.AccessControl.FileSystemAcc...

AddAuditRule                    Method         System.Void AddAuditRule(System.Security.AccessControl.FileSystemAudi...

AuditRuleFactory                Method         System.Security.AccessControl.AuditRule AuditRuleFactory(System.Secur...

Equals                          Method         bool Equals(System.Object obj)

GetAccessRules                  Method         System.Security.AccessControl.AuthorizationRuleCollection GetAccessRu...

GetAuditRules                   Method         System.Security.AccessControl.AuthorizationRuleCollection GetAuditRul...

GetGroup                        Method         System.Security.Principal.IdentityReference GetGroup(type targetType)

GetHashCode                     Method         int GetHashCode()

GetOwner                        Method         System.Security.Principal.IdentityReference GetOwner(type targetType)

GetSecurityDescriptorBinaryForm Method         byte[] GetSecurityDescriptorBinaryForm()

GetSecurityDescriptorSddlForm   Method         string GetSecurityDescriptorSddlForm(System.Security.AccessControl.Ac...

GetType                         Method         type GetType()

ModifyAccessRule                Method         bool ModifyAccessRule(System.Security.AccessControl.AccessControlModi...

ModifyAuditRule                 Method         bool ModifyAuditRule(System.Security.AccessControl.AccessControlModif...

PurgeAccessRules                Method         System.Void PurgeAccessRules(System.Security.Principal.IdentityRefere...

PurgeAuditRules                 Method         System.Void PurgeAuditRules(System.Security.Principal.IdentityReferen...

RemoveAccessRule                Method         bool RemoveAccessRule(System.Security.AccessControl.FileSystemAccessR...

RemoveAccessRuleAll             Method         System.Void RemoveAccessRuleAll(System.Security.AccessControl.FileSys...

RemoveAccessRuleSpecific        Method         System.Void RemoveAccessRuleSpecific(System.Security.AccessControl.Fi...

RemoveAuditRule                 Method         bool RemoveAuditRule(System.Security.AccessControl.FileSystemAuditRul...

RemoveAuditRuleAll              Method         System.Void RemoveAuditRuleAll(System.Security.AccessControl.FileSyst...

RemoveAuditRuleSpecific         Method         System.Void RemoveAuditRuleSpecific(System.Security.AccessControl.Fil...

ResetAccessRule                 Method         System.Void ResetAccessRule(System.Security.AccessControl.FileSystemA...

SetAccessRule                   Method         System.Void SetAccessRule(System.Security.AccessControl.FileSystemAcc...

SetAccessRuleProtection         Method         System.Void SetAccessRuleProtection(bool isProtected, bool preserveIn...

SetAuditRule                    Method         System.Void SetAuditRule(System.Security.AccessControl.FileSystemAudi...

SetAuditRuleProtection          Method         System.Void SetAuditRuleProtection(bool isProtected, bool preserveInh...

SetGroup                        Method         System.Void SetGroup(System.Security.Principal.IdentityReference iden...

SetOwner                        Method         System.Void SetOwner(System.Security.Principal.IdentityReference iden...

SetSecurityDescriptorBinaryForm Method         System.Void SetSecurityDescriptorBinaryForm(byte[] binaryForm), Syste...

SetSecurityDescriptorSddlForm   Method         System.Void SetSecurityDescriptorSddlForm(string sddlForm), System.Vo...

ToString                        Method         string ToString()

PSChildName                     NoteProperty   System.String PSChildName=test

PSDrive                         NoteProperty   System.Management.Automation.PSDriveInfo PSDrive=C

PSParentPath                    NoteProperty   System.String PSParentPath=Microsoft.PowerShell.Core\FileSystem::C:\

PSPath                          NoteProperty   System.String PSPath=Microsoft.PowerShell.Core\FileSystem::C:\test

PSProvider                      NoteProperty   System.Management.Automation.ProviderInfo PSProvider=Microsoft.PowerS...

AccessRightType                 Property       System.Type AccessRightType {get;}

AccessRuleType                  Property       System.Type AccessRuleType {get;}

AreAccessRulesCanonical         Property       System.Boolean AreAccessRulesCanonical {get;}

AreAccessRulesProtected         Property       System.Boolean AreAccessRulesProtected {get;}

AreAuditRulesCanonical          Property       System.Boolean AreAuditRulesCanonical {get;}

AreAuditRulesProtected          Property       System.Boolean AreAuditRulesProtected {get;}

AuditRuleType                   Property       System.Type AuditRuleType {get;}

AccessToString                  ScriptProperty System.Object AccessToString {get=$toString = "";...

AuditToString                   ScriptProperty System.Object AuditToString {get=$toString = "";...

To find the specific parameters for a given method, just filter the output and pipe it to Format-List. For instance, here are the details about the GetAccessRules method used in the script:

PS F:\> Get-Acl F:\Folder | Get-Member -MemberType Method "GetAccessRules" | Format-List

TypeName   : System.Security.AccessControl.DirectorySecurity

Name       : GetAccessRules

MemberType : Method

Definition : System.Security.AccessControl.AuthorizationRuleCollection GetAccessRules(bool includeExplicit, bool includ

eInherited, type targetType)

Here’s a short version, this time looking at the definition for the SetAccessRuleProtection method:

PS F:\> Get-Acl F:\Folder | Get-Member "SetAccessRuleProtection" | FL

TypeName   : System.Security.AccessControl.DirectorySecurity

Name       : SetAccessRuleProtection

MemberType : Method

Definition : System.Void SetAccessRuleProtection(bool isProtected, bool preserveInheritance)

12. Conclusion

I hope this helped you understand how to manipulate Security Descriptors and Access Control Lists using PowerShell. ACLs are used in several other places, like Registry entries, Active Directory objects and File Shares. I’m sure that adding these abilities to your PowerShell tool belt will eventually come in handy.

As usual, the MSDN site is a great reference. You can find all the details about the methods I used here by searching for the method name on MSDN. You can also look at an overview of the methods related to Security Descriptors (with lots of links) at: http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.aspx.

Also be sure to check my other blog posts about PowerShell athttp://blogs.technet.com/b/josebda/archive/tags/powershell/.

FROM:http://blogs.technet.com/b/josebda/archive/2010/11/12/how-to-handle-ntfs-folder-permissions-security-descriptors-and-acls-in-powershell.aspx

新建共享,NTFS权限设置的更多相关文章

  1. NTFS权限设置时卡死

    客户是一家技术咨询和零部件制造的小公司,使用的文件服务器为R410上插4块1T硬盘做raid 5,服务器操作系统为windows server 2008R2,所有的设计资料的授权都是结合域账户和NTF ...

  2. Linux下mysql新建账号及权限设置各种方式总结

    来自:http://justcoding.iteye.com/blog/1941116 1.权限赋予 说明:mysql部署在服务器A上,内网上主机B通过客户端工具连接服务器A以进行数据库操作,需要服务 ...

  3. Linux下mysql新建账号及权限设置

    http://www.cnblogs.com/eczhou/archive/2012/07/12/2588187.html 1.权限赋予 说明:mysql部署在服务器A上,内网上主机B通过客户端工具连 ...

  4. NTFS权限和共享权限的区别

    共享权限 共享权限有三种:完全控制.更改.读取 共持本地安全性.换句话说,他在同一台计算机上以不同用户名登录,对硬盘上同一文件夹可以有不同的访问权限. 注意:NTFS权限对从网络访问和本机登录的用户都 ...

  5. NTFS权限概述

    NTFS权限概述 NTFS是我常见的一种磁盘格式,在Windows系统中使用广泛,它打破了FAT的局限性.在我使用ntfs格式分区的时候经常会涉及到ntfs权限设置问题,来帮助我们对文件的处理.那么什 ...

  6. IIS中的上传目录权限设置问题

    虽然 Apache 的名声可能比 IIS 好,但我相信用 IIS 来做 Web 服务器的人一定也不少.说实话,我觉得 IIS 还是不错的,尤其是 Windows 2003 的 IIS 6(马上 Lon ...

  7. 多站点IIS用户安全权限设置

    如果我们为每个站点都建立一个用户,并设置该用户只有访问本站点的权限,那么就能将访问权限控制在每个站点文件夹内,旁注问题也就解决了 一.这样配置的好处? 不知大家有没有听过旁注?我简单的解释一下吧:有个 ...

  8. NTFS权限详解

    NTFS权限是作为一个Windows管理员必备的知识,许多经验丰富的管理员都能够很熟悉地对文件.文件夹.注册表项等进行安全性的权限设置,包括完全控制.修改.只读等.而谈论NTFS权限这个话题也算是老生 ...

  9. 利用NTFS权限与虚拟目录,在IIS 6.0的默认FTP站点中做用户隔离。

    默认FTP站点为不隔离用户站点,利用NTFS权限设置,达到仅能访问指定目录效果. 是否允许匿名连接 FTP站点主目录:站点范围内有没有用户需要上传,有的话,要勾选“写入”:具体用户使用NTFS还给予写 ...

随机推荐

  1. Windows下虚拟Linux

    andlinux cygwin virtualbox VMware XenServer

  2. DJANGO模板的BLOCK自定义技巧

    除了INCLUDE, EXTENDS基本的继承模板之外,如果想在本模板上,直接生成让同类页面继承的模板, 则可以需要自定义的地方实现自定义BLOCK, 先在本页面实现自己的BLOCK,然后,在继承的页 ...

  3. yiic 数据库迁移工具

    数据库的结构也同源代码一样随着我们开发的进行而不断的发生着改变.在开发过程中,一般的我们需要像管理我们的源代码一样记录下数据库结构的整个变化过程,以便代码还原到指定版本后,数据库能同步的还原到指定的版 ...

  4. 49. 面向对象的LotusScript(十五)之Log4Dom下

    Log4Dom是模仿Log4J的思想建立的.Log4J能够向多种记录媒介以统一的格式写入各种级别的日志信息(包括错误.调试和信息等),还可以籍配置文件在运行时方便地修改记入日志的级别.Log4Dom提 ...

  5. URAL(DP集)

    这几天扫了一下URAL上面简单的DP 第一题 简单递推 1225. Flags #include <iostream> #include<cstdio> #include< ...

  6. MySQL结果集处理

    问题: 1. MySQL对查询的结果集如果返回,一次性还是每条?2. 客户端如何接收结果集? 1. 对于有返回结果集的查询,server端和client端交互的数据包由以下组成: p1:meta da ...

  7. Automator一键生成所需的iOS 图片icon

    iOS到8了, 终于受不了它的各种尺寸的icon了. 写一个Finder服务来一键生成吧. 拖放几次再重复, 无技术含量, 但很有用. // 存放目录    ~/资源库/Services/

  8. 转载--C++ STL

    转自:http://wenku.baidu.com/view/15d18b4533687e21af45a9a4.html 1.C++ STL 之所以得到广泛的赞誉,也被很多人使用,不只是提供了像vec ...

  9. 基于Geoserver配置多图层地图以及利用uDig来进行样式配置

    在GeoServer中配置多个图层的地图相对来说很容易,其步骤为: 1. 进入geoserver 2. 配置相关的FeatureTypes 3. 配置WMS内容,进入以后,主要有以下几个地方需要命名: ...

  10. PrintDbGrideh 打印数据

    PrintDbGrideh1.BeforeGridText.Clear;//添加 PrintDbGrideh1.BeforeGridText.Add( '订单 '); PrintDBGridEh1.P ...